WHAT IS CLAIMED IS: 



1 . A method to diagnose a problem from multiple events in a system of 
managed components generating real-time events of problems, comprising: 

forming fuzzy cognitive maps (FCMs) including causally equivalent FCM 
fragments using network element interdependencies derived from a database 
defining the network managed objects and event notifications that convey the state 
of one or more managed objects; 

sampling generated incoming real-time events from the system; and 
diagnosing problems by mapping the sampled events to the formed FCM 
fragments, 

2. The method of claim 1, wherein forming the FCM fragments comprises: 
determining event nodes from events in the database; 

identifying concept nodes from the determined event nodes; and 
forming FCM fragments including interdependencies between the concept 
and event nodes using the determined event nodes and the identified concept nodes. 

3. The method of claim 2, wherein diagnosing the sampled events comprises: 
mapping the sampled real-time events to the formed FCM fragments 

including determined event nodes to evaluate the effect of the mapped event nodes 
on the identified concept nodes using the determined interdependencies; 

identifying the problems by analyzing the concept nodes based on the 
outcome of the evaluation; and 

diagnosing the problems based on the outcome of the analysis. 

4. The method of claim 3, wherein the system comprises: 

a system selected from the group consisting of explicit system, imphcit 
system, centralized system, partially centralized system, aad distributed system. 
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5. The method of claim 3, wherein the events comprise: 
exceptional conditions occurring in the operation of the network. 

6. The method of claim 5, wherein the event nodes comprise: 

signific^t events selected from the group consisting of hardware/software 
failures, performance bottlenecks, configuration problems, and security violations. 

7. The method of claim 6, wherein determining the event nodes comprises: 

determining the event nodes from a database defining the network managed 
objects and event notifications that convey the state of one or more managed 
objects. 

8. The method of claim 7, wherein determining the event nodes further 
comprises: 

determining the event nodes from expert knowledge of the network. 

9. The method of claim 8, wherein the managed objects comprise: 
objects selected from the group consisting of network objects, attached 

systems, and apphcation objects. 

10. The method of claim 8, wherein the database comprises: 

static information associated with each class of managed md/or dynamic 
information that affects the causal propagation of events. 

1 1 . The method of claim 3, wherein sampHng the incoming real-time events 
comprises: 

sampling the incoming real-time events sequentially in the order they are 
received. 

12. The method of claim 3, wherein identifying the concept nodes comprises: 
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identifying a composite set of events that capture the notion of an abstract 
exception condition in the network. 

13. The method of claim 12, wherein the abstract exception condition comprises: 
abstract exception conditions selected from the group consisting of a notion 

of fault and a notion of performance degradation, a network card in a 
commimication system being faulty with the number of users being served by the 
communication system drastically reducing, and link between two routers going 
down leading to the use of altemate paths which lead to congestion and 
performance. 

14. The method of claim 12, wherein capturing the abstract exception condition 
comprises: 

capturing normal paths based on predetemiined criteria on which the events 
have to be diagnosed. 

15. The method of claim 14, wherein the criteria comprises: 
causal and temporal inconsistencies between events. 

16. The method of claim 1, wherein forming the FCM, comprises: 
capturing system event interdependencies. 

17. The method of claim 15, wherein capturing the system event 
interdependencies comprises: 

interconnecting event and concept nodes using interdependency arcs 
capturing temporal and logical dependencies. 

18. The method of claim 17, wherein the interdependency arcs comprise: 
weights based on temporal and logical dependencies. 
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19. The method of claim 3, wherein evaluating the effect of the received event 
nodes on the concept nodes, comprises: 

computing an indirect effect of events (predictive event-correlation) on 
concept nodes using the equations: 

Ipx(Ei, Ci) = nmi( g (Ei, Q)) = imn( (Ei, Ej^) © 8 niin( g (Eu. Q) 

wherein the indirect effect of events Ej on concept nodes Ci can be defined as 
the intersection of the Unked causal types and can be described by the above equation, 
is a function which takes Iij to [0,1] in path 'p' i.e. e^j = f ^ (ly, ), ixy € {0,1 }, 

and © represents a concatenation of paths, wherein the concatenation operator© is 
generally considered as a fuzzy 'and' operator, wherein the operator (t-norm) for 
intersection of two fuzzy sets other than 'min' can be used using a 'bounded 
difference,' wherein the bounded difference can be computed using the equation: 

U^lXpXyip)) = max{0,^^(x) + /i/^) -1} 

wherein ti() is a t-norm between fuzzy sets A and B with membership 
functions |iiA and )Ib. 

20. The method of claim 19, wherein mapping the received real-time events to 
the formed FCM fragments comprises: 

correlating the received events to the identified concept nodes to evaluate the 
effect of the received event nodes on the identified concept nodes using the 
determined element interdependencies. 

21. The method of claim 20, wherein correlating the received events to the 
concept nodes further comprises: 

accumulating evidence based on the received event nodes; 
comp^ing the accimiulated evidence to a threshold value; and 
analyzing the concept nodes based on the outcome of the comparing to 
evaluate the effect of the received event nodes. 
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22. A method for diagnosing problems from multiple events in a communication 
network including managed components generating real-time events of problems, 
comprising: 

forming fuzzy cognitive maps (FCMs) including causally equivalent FCM 

fragments using network element interdependencies; 

sampling generated incoming real-time events from the network; and 
diagnosing each of the generated problems by mapping the received sampled 

events to the formed FCM fragments. 

23. The method of claim 22, wherein forming the FCM fragments comprises: 
determining event nodes from events in the database; 

identifying concept nodes from the determined event nodes; and 
forming FCM fragments including interdependencies between the concept 
and event nodes using the determined event nodes and the identified concept nodes. 

24. The method of claim 23, wherein diagnosing the sampled events comprises: 
mapping the sampled real-time events to the formed FCM fragments 

including determined event nodes to evaluate the effect of the mapped event nodes 
on the identified concept nodes using the determined interdependencies; 

identifying the problems by analyzing the concept nodes based on the 
outcome of the evaluation; and 

diagnosing the problems based on the outcome of the analysis. 

25. A computer readable medium having computer-executable instructions to 
diagnose problems from multiple events in a system of managed components 
generating real-time events of problems, comprising: 

forming frizzy cognitive maps (FCMs) including causally equivalent FCM 

fragments using network element interdependencies derived from a database 
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defining the network managed objects and event notifications that convey the state 

of one or more managed objects; 

sampling generated incoming real-time events from the system; and 
diagnosing problems by mapping the sampled events to the formed FCM 

fragments. 

26. The computer readable medium of claim 25, wherein forming the FCM 
fragments comprises: 

determining event nodes from events in the database; 
identifying concept nodes from the determined event nodes; and 
forming FCM fragments including interdependencies between the concept 
and event nodes using the determined event nodes and the identified concept nodes. 

27. The computer readable medium of claim 26, wherein diagnosing the 
sampled events comprises: 

mapping the sampled real-time events to the formed FCM fragments 
including determined event nodes evaluate the effect of the mapped event nodes on 
the identified concept nodes using the determined interdependencies; 

identifying the problems by analyzing the concept nodes based on activation 
levels of the concept nodes; and 

diagnosing the problems based on the outcome of the analysis. 

28. The computer readable medium of claim 27, wherein the system comprises: 
a system selected from the group consisting of explicit system, imphcit 

system, centralized system, partially centraUzed system, and distributed system. 

29. The computer readable medium of claim 28, wherein the events comprise: 
exceptional conditions occurring in the operation of the network. 
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30. The computer readable medium of claim 29, wherein the event nodes 
comprise: 

significant events selected from the group consisting of hardware/software 
failures, performance bottlenecks, configuration problems, and security violations. 

3 1 . The computer readable medium of claim 27, wherein identifying the concept 
nodes comprises: 

identifying a composite set of events that capture the notion of an abstract 
exception condition in the network. 

32. The computer readable medium of claim 27, wherein evaluating the effect of 
the received event nodes on the concept nodes, comprises: 

computing an indirect effect of events on concept nodes using the equations: 
Ipx(EuQ) = min(g (Ei, Q)) = imn( g (Ei,Ek))© (E^,q)) 

wherein the indirect effect of events Ei on concept nodes Q can be defined as 
the intersection of the linked causal types and can be described by the above equation, 
g is a function which takes ly to [0,1] in path 'p' i.e. eiy = f ^ (ly, ), lay e {0,1}, 

and © represents a concatenation of paths, wherein the concatenation operator© is 
generally considered as a fuzzy 'and' operator, wherein the operator (t-norm) for 
intersection of two fuzzy sets other than 'min' can be used using a 'bounded 
difference,' wherein the bounded difference can be computed using the equation: 

/i/^)) - max{0, ^J^x) + jU/^) -1} 

wherein ti() is a t-norm between fuzzy sets A and B with membership 
functions jlia and |lib. 

33. A computer system to diagnose problems from multiple events in a system 
of managed components generating real-time events of problems, comprising: 

a storage device; 
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an output device; and 

a processor programmed to repeatedly perform a method, comprising: 
forming fuzzy cognitive maps (FCMs) including causally equivalent FCM 

fragments using network element interdependencies derived from a database 

defining the network managed objects and event notifications that convey the state 

of one or more managed objects; 

sampling generated incoming real-time events from the system; and 
diagnosing problems by mapping the sampled events to the formed FCM 

fragments. 

34. The system of claim 33, wherein forming the FCM fragments comprises: 
determining event nodes from events in the database; 

identifying concept nodes from the determined event nodes; and 
forming FCM fragments including interdependencies between the concept 
and event nodes using the determined event nodes and the identified concept nodes, 

35. The system of claim 34, wherein diagnosing the sampled events comprises: 
mapping the sampled real-time events to the formed FCM fragments 

including determined event nodes evaluate the effect of the mapped event nodes on 
the identified concept nodes using the determined interdependencies; 

identifying the problems by analyzing the concept nodes based on the 
outcome of the evaluation; and 

diagnosing the problems based on the outcome of the analysis. 

36. The system of claim 35, wherein the events comprise: 
exceptional conditions occurring in the operation of the network. 

37. The system of claim 35, wherein the event nodes comprise: 

significant events selected from the group consisting of hardware/software 

failures, performance bottlenecks, configuration problems, and security violations. 
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38. The system of claim 35, wherein identifying the concept nodes comprises: 
identifying a composite set of events that capture the notion of an abstract 

exception condition in the network. 

39. The system of claim 35, wherein forming the FCM, comprises: 
capturing system event interdependencies by interconnecting event and 

concept nodes using interdependency ^cs that capture temporal and logical 
dependencies. 

40. The system of claim 35, wherein evaluating the effect of the received event 
nodes on the concept nodes, comprises: 

computing an indirect effect of events on concept nodes using the equations: 
Ipx(Ei,Ci)-inin(g (Ei,Cj)) = min(g (Ei, Ek)) 8 ®imn(g (E^n, Cj)) 

wherein the indirect effect of events Ei on concept nodes Q can be defined as 
the intersection of the link causal types and can be described by the above equation, 
^px isafunction which takeslijto[0,l]inpath^p' i.e. eiij = f-^(Iij,^ij),^y g {0,1}, 

and © represents a concatenation of paths, wherein the concatenation operator© is 
generally considered as a fuzzy 'and' operator, wherein the operator (t-norm) for 
intersection of two fuzzy sets other than 'min' can be used using a 'bounded 
difference,' wherein the bounded difference can be computed using the equation: 

UifJiS^l jU/^)) = max{0, ^p) + ^p) - 1} 

wherein ti() is a t-norm between fuzzy sets A and B with membership 
functions jua and |lib- 

41 . An event-correlation system to diagnose problems from multiple incoming 
real-time events in a communication network of managed components generating 
real-time events of problems, comprising: 
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an event-analyzer to form fuzzy cognitive map (FCM) fragments using 
network element interdependencies derived from a database defining the network 
managed objects and event notifications that convey the state of one or more 
managed objects; and 

an event-processing module coupled to the event-analyzer to sample 
generated incoming real-time events from the network, wherein the analyzer to 
diagnose the problems from the sampled events by mapping the sampled events to 
the formed FCM fragments. 

42. The event-correlation system of claim 41, wherein the analyzer forms FCM 
fragments by determining event nodes from events in the database, and by fiirther 
identifying concept nodes from the determined event nodes to form FCM fragments 
including interdependencies between the identified concept nodes and the 
determined event nodes. 

43 . The event-correlation system of claim 4 1 , wherein the analyzer further maps 
the sampled events to the formed FCM fragments including determined event nodes 
to evaluate the effect of the mapped events on the determined concept nodes using 
the determined interdependencies, wherein the analyzer identifies the problems by 
analyzing the concept nodes based on the outcome of the evaluation and further 
diagnoses the problems based on the outcome of the analysis. 

44. The event-correlation system of claim 43, wherein the communication 
network comprises: 

a system selected from the group consisting of explicit system, implicit 
system, centralized system, partially centralized system, and distributed system, 

45. The event-correlation system of claim 43, wherein the events comprise: 
exceptional conditions occurring during operation of the network. 
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46. The event-correlation system of claim 45, wherein the event nodes comprise: 
significant events selected from the group consisting of hardware/software 

failures, performance bottlenecks, configuration problems, aad security violations. 

47. The event-correlation system of claim 46, wherein the analyzer determines 
the event nodes fi-om a database defining the network managed- objects and event 
notifications that convey the state of one or more managed objects. 

48. The event-correlation system of claim 47, wherein the analyzer determines 
the event nodes firom expert knowledge of the network. 

49. The event-correlation system of claim 48, wherein the managed objects 
comprise: 

objects selected fi"om the group consisting of network objects, attached 
systems, and application objects. 

50. The event-correlation system of claim 48, wherein the database comprises: 
static information associated with each class of managed objects and/or 

dynamic information that affects the causal propagation of events. 

5 1 . The event-correlation system of claim 43 , further comprising: 

a communication interface module coupled between the network and the 
event-processing module to extract events firom real-time messages received in 
different formats from the network and to fiirther sample the extracted events 
sequentially in the order they are received. 

52. The event-correlation system of claim 43, wherein the analyzer identifying 
the concept nodes comprises a composite set of events that capture a notion of an 
abstract exception condition in the network. 
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53. The event-correlation system of claim 52, wherein the abstract exception 
condition comprises conditions selected from the group consisting of a notion of 
fault and a notion of performance degradation. 

54. The event-correlation system of claim 52, wherein the analyzer captures the 
abstract exception condition by capturing normal paths based on predetermined 
criteria from which for the events are diagnosed. 

55. The event-correlation system of claim 54, wherein the criteria comprises: 
causal and temporal inconsistencies between events. 

56. The event-correlation system of claim 43, wherein the analyzer forms FCM 
by capturing system event interdependencies. 



57. The event-correlation system of claim 56, wherein the analyzer captures 
system interdependencies by interconnecting event and concept nodes using 
interdependency arcs to capture temporal and logical dependencies. 

58. The event-correlation system of 57, wherein the interdependency arcs 
comprise: 

weights based on temporal and logical dependencies. 

59. The event-correlation system of claim 43, wherein the analyzer evaluates an 
indirect effect of events on concept nodes using the equations: 

Ipx(Ei, Q) = min( g (Ei, Q)) = imn( q (Ei, Ej,)) ® ® imn( g (E^n, Q)) 

wherein the indirect effect of events Ei on concept nodes Ci can be defined as 
the intersection of the link causal types and can be described by the above equation, 
is a function which takes ly to [0,1] in path ^p' i.e. enj = f -> (ly, ), ^ly g {0,1 }, 

and ® represents a concatenation of paths, wherein the concatenation operator© is 
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generally considered as a fuzzy 'and' operator, wherein the operator (t-norm) for 
intersection of two fuzzy sets other than 'min' can be used using a 'bounded 
difference/ wherein the bounded difference can be computed using the equation: 

t,(jd^(x), ld^(x)) = max{0, ^^(x) + jU^ W - 1} 

wherein tiQ is a t-norm between fuzzy sets A ^d B with membership 
functions \xa and ^B• 

60. The event-correlation system of claim 59, wherein the analyzer maps the 
received real-time events to the formed FCM fragments by correlating the received 
events to the identified concept nodes to evaluate the effect of the received event 
nodes on the identified concept nodes using the determined element 
interdependencies. 

61 . The event-correlation system of claim 59, wherein the analyzer correlates the 
received events by accumulating evidence based on the received event nodes and 
compares the accumulated evidence to a threshold value, and analyzes the concept 
nodes based on the outcome of the comparing to evaluate the effect of the received 
event nodes. 

62. The event-correlation system of claim 43, further comprising: 

an interface output module coupled to the event-analyzer to output one or 
more solutions based on the outcome of diagnosing the problems by the analyzer. 

63. The event-correlation system of claim 62, further comprising: 
a memory to store the static and dynamic information. 
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